Leaders and Boards will often now describe cyber as their most critical business risk.

They know how the threat environment is changing. They are trying to keep up with shifting laws and regulations. And they also increasingly see companies’ reputations suffering in the public arena if cyber crises are mishandled. They are increasingly seeing cyber as a risk to reputation, as well as to business-as-usual.

For companies, the reputational damage of a cyber breach is often less the technical damage done, the money lost, or the regulatory fines. The highest cost is to reputation. Personal and corporate reputations have been lost because the public management of the crisis has gone badly. Companies too often project uncertainty, an interest in shifting the blame, and a lack of confident leadership. It is often this that has the bottom-line cost.

Cyber crises can be managed well, and companies can recover from them. Ensuring that a company is prepared for a cyber crisis is the vital first step, but building your defenses is as much about communicating well, as it is about your technical resilience.

The era we are in

The corporate world is surfing the wave of a major technology revolution that is defining our times and lives. We are only at the start of it.

The Internet of Things (IoT) promises to do more in the next 15 years than we have gained in the last 15. So far, the revolution has provided digital connectivity and volume data access. The next phase will change our physical space – our travel, our health, and our working patterns. Our demands as customers and citizens are borderless. We want our technology always on, frictionless, everywhere.

Guaranteeing the security of this data is our challenge. We are becoming ever-more dependent on it. It may be a mid-term problem. Encryption or other technologies may solve the problem in two decades. The personal privacy threats (PPI, false flag, identity theft, etc.) may be solved sooner. In the meantime, the data we depend on is becoming increasingly vulnerable to manipulation or disruption. Our trust in its security and reliability is threatened.

And protecting personal privacy will remain vital, even as our ideas of privacy morph and shift as younger generations- for whom privacy is a different concept –gain ascendency.

Determining where the threat to our security comes from has always been complex. In some ways, cyber criminality is at the easy end of the spectrum. These days, political or issue activism has a new instrument to use to make their case. In the future, national conflicts will be fought out – at least partly- in cyberspace, against critical national infrastructures. This is the new world that companies operate in.

What the public think

How to protect data is a critical business issue.

We the public still think of the world in analogue terms, as if privacy was an absolute – or a matter of choice. Few of us comprehend the analytical capabilities that metadata is already generating. Regulators, politicians and companies find it difficult to communicate with a public (and media) that is often inconsistent, frightened and often uninformed about this new world.

Loss of data will happen but in this emotionally-charged environment, the public reputational consequences of a cyber breach can be hard to predict. A company which has not established trust will find this a more difficult journey than a company that is already trusted for competency, professionalism and stewardship. It is possible to build defences that reduce the likelihood of a cyber attack being successful and ensure that companies are better prepared to manage cyber crises when they happen.

First line of defence – Strengthening internal culture

Cyber is about people. People are your protection and your weakness.

Your people make you vulnerable – because you have not trained them, enthused them or vetted them. Knowing your people is your best defence, and building a culture where risks are spotted and reported – where behavioural abnormalities and discontent are noted and acted on. Building a security culture is about good management. Culture is not the responsibility of compliance or security, but of your leadership. A security culture is not built by accident, but through sustained communication campaigns and commitment.

Have you defined your critical staff, those with access and the capability to do you harm? What about third party staff with access to your systems?

What vetting processes do you have in place? Are you able to spot Bad Apples or Unhappy Apples?

Is data security still seen only as a compliance issue? How are compliance requirements communicated? Do they change behaviours? How do you know? Do your people understand the why of security, as well as the what? Is data security hard-wired into the DNA of your company, its sense of professionalism, and the obligations it has to your customers?

Do your staff know where the dangers are and what to be suspicious of? Your attackers are working hard to find out about these people, to spot their vulnerabilities, to build on-line relationships, and to employ deception to tease access codes out of them. Are you protecting them?

Is IT security led from the top?

Second line of defence – Preparedness

Preparedness is as much an attitude of mind, as having a Crisis Manual. In the real world, cyber crises are best managed by a leadership that is confident and knowledgeable about the issue, and knows how to project authority and discipline.

But a crisis management process can help shape that discipline and confidence. Poor management of the public reaction to a cyber incident can easily turn an incident into a reputational crisis. The actual scale of the cyber incident or attack may be small but the public reaction to it may be in uninformed, critical and emotionally-charged. Managing a company’s public response to this requires authority and discipline.

And whatever the scale of the cyber incident, crisis communications requires agility, confidence, leadership, quick decisions and a clear understanding of the core narrative and messaging you wish to project. Building a robust regime of rehearsal and review, at operational and executive level, is a vital step in building an authoritative and disciplined communications response.

Do you have a crisis team? Who is on it? Do you distinguish between an operational crisis team and an executive management team?

Does your senior management team understand cyber? Does it understand the range of risks and systems that you own?

Do you know what data you collect, buy or hold? Do your customers understand your data practices? Do you know how your company’s data security practices match up to industry standards?

Are you confident that you will be alerted in the event of a cyber incident? Who needs to be told?

Is someone tasked with assessing the potential reputational impact of an incident as it evolves?

Do you have a communications toolkit – a set of messages around company’s data privacy messages, a company factsheet, and draft communications to each stakeholder audience?

Do you know who the spokespeople should be and what responsibilities they have? Have they been media trained for a crisis situation?

Have you identified the range of your key stakeholders and their needs, and are you clear who is responsible for managing these range of relationships?

Have you thought through your media strategy?

Are you confident about your engagement with regulators and law enforcers, and know who can call whom at the moment of a crisis?

Are you comfortable about how you will respond to criticism online, and how you engage with a crisis which is likely to play out through social media?

The best way of ensuring preparedness is to test it, so that your leadership understand the scope of the challenges, and can endorse the company’s approach.

Third line of defence – Assurance

Increased scrutiny from the media and all stakeholders on the strength of a company’s data security stems from the increase in public attacks and increasing regulation, including the EU’s General Data Protection Regulation, which in 2018 is scheduled to impose new disclosure requirements across Europe and raises the potential for significant fines. A company seen to be competent, authoritative and transparent about their data and security of it will be better disposed in the eyes of the public and the regulator. Regulators are also seeking assurance that companies are prepared for crises. Companies need to reassure all audiences that customer data is safeguarded and that this stewardship extends beyond simple adherence to the law.

Fourth Line of Defence: A Confident Response to Crisis

The guiding principles for any crisis are the same:

Discipline and coordination is critical. A crisis response needs to deliver a coordinated approach, with clear and disciplined messaging.

Timing is critical. The media operates continually, and social media gives the public an immediate voice and platform. Decisions need to be made quickly, particularly around media communications.

Leadership is critical. Managing public sentiment in crisis depends on projecting an authoritative and commanding narrative, and leading the story. Leadership, both externally and internally, is required to project authority and competence.

Transparency is critical. Your reputation depends on being regarded as honest and forthright in your public responses.

Reacting to a cyber breach demands a clear process, and clear responsibilities for action and decisions. A company needs to ask itself:

Is the breach public? What judgements can be made on whether it will go public? Can you control the timing?

Are you monitoring the media and digital discussion forums for public disclosure?

Have you convened your crisis team?

Have you notified external counsel and other advisors?

Is it clear how sensitive the data is that has been breached?

Who else needs to be notified or warned?

What should you tell your people?

Once it is public:

Have you activated media monitoring? Do you know what is being reported?

Are you clear who is leading the response?

Are you keeping track of events and developing a clearer record of facts to adjust the public response?

Have you communicated with all front line employees and management around media protocols and lines to take?

Do you have a social media response plan for the crisis and separately for ongoing customer service?

Have you agreed lines-to take and statements for each audience?

Have you confirmed disclosure requirements?

Do your senior management know who they need to contact? What is the Board’s role?

Facing a cyber breach is a critical moment for a CEO. News of the breach could come from the IT team or externally including social media, traditional media, the hacker or a key customer. But it is unlikely that the company can be sure of many of the details – what has been lost, how much data has gone, who might have been responsible. It could escalate quickly to the CEO being in the frontline of media questions. There is a temptation to lay the blame somewhere, which doesn’t always help. The CEO will want to reassure customers, but may not have the facts that allow him or her to do this.

Social media can be used as a data tool to indicate whether the public crisis is getting better or worse. But it can also be used to reach your public and customers directly, to provide reassurance and information. The general rule of thumb is that anything the company does to engage on social media will increase the volume around the incident. This may be what you want, but it may not be. You may not have a choice. Customer service through social media cannot go quiet. If social media activity is only a spike, then company engagement might re-energise the debate. If it is an escalating public conversation, there may be no option but to engage.

The best approach is having a clear set of messages, and a track record of data stewardship and security that you are proud of. You will need to be able to say quickly the immediate steps taken to manage the breach and ensure the most sensitive data is protected. You will want to be clear about your cooperation with the authorities. And you will want customer communication to be at the heart of your approach.

Reputational rebuild

While resolving these incidents is always a critical focus of management, shaping the longer term reputation and external engagement of the company through these periods is of central importance. Some crises are quickly forgotten. Others have a long term impact on reputation of the company and the leadership. Once the headlines are over, it is always tempting to believe that a company’s reputation has been restored. Understanding the long term impact on perceptions of your company and leadership, among your customers, your employees, your investors and the media is a critical tool in shaping your public engagement. This can be done by guesswork, or by hard data. But a clear sense of how your reputation has changed allows you to respond. Crises present opportunities to drive through change that can be more difficult to achieve in other circumstances.